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Executive  Summary 

This  project  had  three  main  thrusts:  (1)  to  create  a  language  for  expressing  authorization 
policies  that  satisfied  numerous  desiderata,  including  being  expressive,  being  easy  to  use,  having 
precise  semantics,  and  allowing  for  accountability;  (2)  to  add  the  ability  to  express  knowledge- 
based  specifications  to  Nuprl,  a  well-developed  language  that  has  been  used  extensively  to  prove 
that  programs  satisfy  their  speeifications,  with  the  intent  of  then  using  Nuprl  to  automatically 
synthesize  security  protocols  satisfying  appropriate  specifications;  (3)  to  understand  the  extent 
to  which  it  is  possible  to  achieve  robust  security  in  the  prseence  of  rational  adversaries.  With 
regard  to  (1),  a  language  Lithium  has  been  developed  (jointly  with  Vicky  Weissman)  that 
satisfies  many  of  the  desiderata.  Lithium  was  chosen  as  the  language  for  NRL’s  MLWeb  project. 
Halpern  and  Weissman  worked  with  NRL  to  implement  it.  Due  to  funding  problems,  they 
implemented  only  part  of  the  language.  In  addition,  Wcissman’s  work  on  giving  semantics  to 
ODRL  (Open  Digital  Rights  Language— see  http://odrl.net)  led  to  her  being  invited  to  serve 
on  the  ODRL  working  group,  charged  with  giving  semantics  to  the  next  version  of  ODRL. 
Weissman  received  her  Pli.D.,  which  was  largely  based  on  this  work,  m  2007.  With  regard 
to  (2),  working  with  Sabina  Petride,  Mark  Bickford,  and  Robert  Constable,  we  have  added 
the  ability  to  express  knowledge-based  specifications  in  Nuprl,  and  shown  that  in  can  be  used 
to  capture  a  number  of  specifications  of  interest.  Petride  has  completed  her  B  exam  and  is 
about  to  submit  her  Ph.D.  thesis,  the  thesis  includes  a  major  section  on  using  knowledge- 
based  specifications  in  Nuprl.  Finally,  with  regard  to  (3),  working  with  Danny  Dolcv  and  Ittai 
Abraham,  we  have  combined  ideas  from  fault  tolerance,  game  theory,  and  cryptography  to 
design  algorithms  that  guarantee  robust  security  in  the  face  of  rational  adversaries  (that  is, 
adversaries  who  have  well-understood  payoffs,  who  can  be  incentivized  appropriately),  while 
allowing  a  certain  fraction  of  the  adversaries  to  behave  in  completely  unpredictable  ways,  and 
proving  that  these  algorithms  are  optimal,  by  proving  matching  lower  bounds.  All  this  work 
lias  led  to  numerous  publications  and  invited  talks. 
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Objectives 

Originally,  this  project  had  two  goals.  The  first  was  to  find  a  language  for  expressing  autho¬ 
rization  policies  that  satisfies  the  following  desiderata: 

(a)  it  is  expressive  (so  that  all  policies  of  interest  can  be  expressed); 

(b)  it  is  tractable  (so  that  it  is  easy  to  to  compute  what  is  permitted  by  a  collection  of 
policies); 

(c)  it  is  unambiguous  (so  that  there’s  no  ambiguity  about  what  a  policy  means); 

(d)  it  is  easy  for  intelligent  nonexperts  to  use; 

(c)  it  supports  accountability  (so  that  it  is  easy  to  understand  which  policies  lead  to  a  par¬ 
ticular  permission  and  who  made  these  policies); 

(f)  it  allows  for  easy  comparison  of  policy  sets  (for  example,  it  allows  us  to  ascertain  whether 
one  policy  set  is  more  permissive  than  another  or  whether  two  policy  sets  arc  in  some 
sense  equivalent); 

(g)  it  supports  policy  management  (for  example,  it  allows  merging  two  sets  of  policies,  or 
dynamically  updating  policies  over  time  in  an  easy  way). 

(h)  it  has  the  support  of  industry  (so  that  companies  are  willing  to  create  products  that 
“understand”  and  enforce  policies  written  in  the  language). 

The  second  goal  was  to  add  the  ability  to  express  knowledge-based  specifications  in  Nuprl, 
a  well-developed  language  that  has  been  used  extensively  to  prove  that  programs  satisfy  their 
specifications,  with  the  intent  of  then  using  Nuprl  to  automatically  synthesize  security  protocols 
satisfying  appropriate  specifications. 

Recently,  a  third  focus  of  the  project  has  been  to  achieve  robust  security  in  the  presence  of 
rational  adversaries. 

Status 

Vicky  Weissman  and  I  completed  our  work  with  NRL  on  M'LWeb;  they  implemented  part  of 
the  language,  but  not  all  of  it,  due  to  lack  of  funding.  Sabina  Pctride  has  completed  her  13 
exam  and  should  hand  in  her  thesis  in  the  next  few  weeks;  the  thesis  includes  a  major  section 
on  using  knowledge-based  specifications  in  Nuprl.  Finally,  Ittai  Abraham,  Danny  Dolev  and  1 
have  precisely  characterized  the  conditions  under  which  it  is  possible  to  achieve  fault  tolerance 
in  a  gamc-thcorctic  setting  in  synchronous  systems;  we  are  currently  working  oil  extending 
these  results  to  asynchronous  systems. 
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Accomplishments 


Ittai  Abraham,  Danny  Dolcv,  and  I  have  precisely  characterized  the  conditions  under  which  it 
is  possible  to  achieve  fault  tolerance  in  a  game- theoretic  setting  in  synchronous  systems;  we  arc 
currently  working  on  extending  these  results  to  asynchronous  systems.  As  a  spinoff  of  these 
results,  we  were  able  to  obtain  the  best-known  results  on  achieving  Byzantine  agreement  in 
asynchronous  systems,  showing  that  it  can  be  done  with  probability  1,  in  polynomial  time, 
as  long  as  fewer  than  one-third  of  the  processes  arc  faulty.  (It  was  known  that  it  could  not 
be  done  if  more  than  one-third  of  the  processes  are  faulty.)  Sabina  Petride,  Mark  Bickford. 
Robert  Constable,  and  I  have  just  about  finished  a  paper  reporting  our  results  oil  knowledge- 
based  specifications  in  Nuprl.  This  will  form  part  of  Sabina’s  thesis,  which  should  be  handed 
in  during  this  reporting  period. 


Personnel  Supported 

Joseph  Halpcrn  (PI).  Suchcta  Sounder ajaan  (graduate  student),  Danny  Dolcv  (visitor),  Victoria. 

Wcissman  (former  graduate  student). 

Publications  (October  1,  2007  -  September  30,  2008) 

1.  J.  Y.  Halpern  and  R.  Pucella,  Characterizing  and  reasoning  about  probabilistic  and  lion- 
probabilistic  expectation.  Journal  of  the  ACM  54*3,  2007. 

2.  J.  Y.  Halpern  and  I  C.  Rego,  Characterizing  the  NP-PSPACE  gap  in  the  satisfiability 
problem  for  modal  logic,  Journal  of  Logic  and  Computation  17:4,  pp.  795-806,  2007. 

3.  F  C.  Chu  and  J.  Y.  Halpern,  Great  expectations.  Part  I:  On  the  customizability  of 
generalized  expected  utility,  Theory  and  Decision  64:1,  2008,  pp.  1-36 

4.  J.  Y.  Halpern  and  L.  C.  Rego,  Interactive  unawareness  revisited,  Games  and  Economic 
Behavior  62:1,  2008,  pp.  232  262. 
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55:1,  2008. 

6.  H.  Chocklcr.  J.  Y.  Halpern,  and  O.  Kupfcrman,  What  causes  a  system  to  satisfy  a  speci¬ 
fication?,  ACM  Transactions  on  Computational  Logic  9:3,  2008. 

7.  D.  J  Martin,  J  Gelirkc,  and  J.  Y.  Halpcrn,  Toward  expressive  and  scalable  sponsored 
search  auctions,  Proc.  24th  International  Conference  on  Data  Engineering ,  2008,  pp. 
237-246. 

8.  I.  Abraham,  D.  Dolcv,  and  J.  Y.  Halpcrn,  Lower  bounds  on  implementing  robust  and 
resilient  mediators,  Proc.  Fifth  Theoi'y  of  Cryptography  Conference ,  2008,  pp.  302-319. 

9.  J.  Y  Halpern,  From  qualitative  to  quantitative  proofs  of  security  properties  using  first- 
order  conditional  logic,  AAAI-08  (Proceedings  of  the  Twenty-Third  AAAI  Conference  on 
Artificial  Intelligence )<  2008.  pp.  459  464. 
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10.  I.  Abraham.  D.  Dolev,  and  J.  Y.  Halpcrn,  An  almost-surely  terminating  polynomial 
protocol  for  asynchronous  Byzantine  agreement  with  optimal  resilience.  Proceedings  of 
the  Twenty-Seventh  Annual  ACM  Symposium  on  Principles  of  Distidbuted  Computing , 
2008,  pp.  405  414. 

11.  I.  Kasli,  E.  J.  Friedman,  and  J.  Y.  Halpcrn,  The  Lotus-eater  attack,  Proceedings  of  the 
Twenty -Seventh  Annual  A  CM  Symposium  on  Principles  of  Distributed  Computing ,  2008, 
p.  455. 

12.  J.  Y.  Halpcrn,  Beyond  Nash  equilibrium:  solution  concepts  for  the  21st  century,  Proceed¬ 
ings  of  Twenty-Seventh  Annual  ACM  Symposium  on  Principles  of  Distributed  Computing , 
2008,  pp.  1  TO.  Reprinted  in  Proceedings  of  the  Eleventh  International  Conference  on 
Principles  of  Knowledge  Representation  and  Reasoning  (KR  2008),  2008. 

13.  J.  Y.  Halpcrn,  Computer  science  and  game  theory:  A  brief  survey,  The  New  Palgrave 
Dictionary  of  Economics ,  (S.  N.  Durlauf  and  L.  E.  Blurne,  eds.)  Palgrave  MacMillan, 
2008. 

14.  P.  D.  Griinwald  and  J.  Y.  Halpcrn,  A  game-theoretic  analysis  of  updating  sets  of  prob¬ 
abilities,  Proceedings  of  the  Twenty-Fourth,  Conference  on  Uncertainty  in  AL  2008,  pp. 
240  247. 

15.  J.  Y.  Halpcrn,  Defaults  and  normality  in  causal  structures.  Proceedings  of  the  Eleventh 
International  Conference  on  Principles  of  Knowledge  Representation  and  Reasoning  (KR 
2008),  2008. 

16.  J.  Y  Halpcrn,  Joseph  Y.  Halpcrn,  in  Epistemology:  5  Questions  (cd.  V.  F  Hendricks  and 
D.  Pritchard),  Automatic  Press/VIP.  2008,  pp.  155  166. 

Participation/Interactions 

Joseph  Halpcrn  gave  the  following  talks: 

•  Distributed  Computing  Meets  Game  Theory:  Robust  Mechanisms  for  Rational  Secret, 
Sharing  and  Multiparty  Computation, 

ETH,  Zurich  (June,  2008) 

•  Redoing  the  foundations  of  decision  theory 

-  University  of  Kentucky,  Computer  Science  Colloquium  (January,  2008) 

University  of  Indiana,  Cognitive  Science  Colloquium  (March,  2008) 

•  Constructive  Decision  Theory 

Invited  talk,  Cowles  Conference  on  Choice,  Contracts,  and  Computation,  New  Haven 
(June  2008) 

-  Invited  talk,  Workshop  on  Bayes  and  Savage,  Bergen,  Norway  (June,  2008) 
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University  of  Queensland,  Australia,  Economics  Dept.  Colloquium  (Sept..  2008) 

•  Causality,  responsibility,  and  blame:  a  structural-model  approach, 

-  University  of  Indiana,  Computer  Science  Colloquium  (March,  2008) 

•  Beyond  Nash  equilibrium:  Solution  concepts  for  the  21st  Century 

EPFL.  Lausaminc.  Switzerland  (June,  2008) 

Invited  talk,  Twenty-Seventh  Annual  ACM  Symposium  on  Principles  of  Distributed 
Computing,  Toronto  (August,  2008) 

-  Invited  talk,  Eleventh  International  Conference  on  Principles  of  Knowledge  Repre¬ 
sentation  and  Reasoning  (KR  2008),  Sydney,  Australia  (September,  2008). 

•  Reasoning  About  Knowledge  in  Multiagent  Systems 

Invited  talk.  Workshop  on  Information,  Control,  and  Communication,  Berlin  (April, 
2008) 

•  From  qualitative  to  quantitative  proofs  of  security  properties  using  first-order  conditional 
logic 


AAAI-08  (Twenty-Third  AAAI  Conference  on  Artificial  Intelligence).  Chicago  (June, 
2008) 

•  An  almost-surely  terminating  polynomial  protocol  for  asynchronous  Byzantine  agreement 
with  optimal  resilience 

Twenty-Seventh  Annual  ACM  Symposium  on  Principles  of  Distributed  Computing, 
Toronto  (August,  2008) 

•  Defaults  and  normality  in  causal  structures 

Eleventh  International  Conference  on  Principles  of  Knowledge  Representation  and 
Reasoning  (KR  2008),  Sydney,  Australia  (Sept.,  2008). 

Consultative  and  advisory  functions 

None  this  year. 

New  discoveries,  inventions  or  patent  disclosures 

•  D.  J.  Martin,  J.  Y.  Halpcrn,  and  J.  Gchrkc,  System  and  Method  for  Scalable  Sponsored 
Auctions,  patent  application  filed  August,  2008. 


5 


Honors  /  Awards 

•  Selected  Fellow  of  AAAS,  November,  2005. 

•  Selected  Fellow  of  ACM,  2002. 

•  Fulbright  Fellow,  2001-02. 

•  Guggenheim  Fellow,  2001-02. 

•  Milner  Lecturer,  University  of  Edinburgh,  2000. 

•  Awarded  1997  Godel  Prize  for  outstanding  paper  in  the  area  of  theoretical  compute 
science  for  “Knowledge  and  common  knowledge  in  a  distributed  environment”. 

•  Fellow  of  the  American  Association  of  Artificial  Intelligence,  1993. 
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